Clusterheadaches.com Message Board
        (http://www.clusterheadaches.com/cgi-bin/yabb/YaBB.cgi)
      

        New Message Board Archives >> 2005 General Board Posts >> Dear HACKER
        
(Message started by: unsolved1 on Nov 30th, 2005, 5:21pm)
Title: Dear HACKER
Post by unsolved1 on Nov 30th, 2005, 5:21pm
OK...someone is seriously screwing with me.

My broadband ISP gives you 6 e-mail accounts. Each account comes with 10MB of webspace.

Someone is using one of my accounts to send out spam and viruses. I'm getting the mail demons. (some with viruses attached)

I've changed the account password 3 times already and they keep getting by it ... so I've temporarly closed that account completely.

Is there a way I can re-open this account or is this bastage going to keep getting in ? Any suggestions ?

UNsolved
Title: Re: Dear HACKER
Post by Jonny on Nov 30th, 2005, 5:24pm
Contact your ISP?
Title: Re: Dear HACKER
Post by Ghost on Nov 30th, 2005, 5:25pm
Also have them change your isp address may help.
Title: Re: Dear HACKER
Post by Rock_Lobster on Nov 30th, 2005, 5:44pm
How is he getting your passwords?  Mayhaps you have a keylogger running on your system.

Hit CTRL-ALT-DELETE.  Windows Task Manager will come up.  Take screen shots of that, scrolling through it and taking multiple shots if necessary.  Post the results... let us see what you have running.
Title: Re: Dear HACKER
Post by maffumatt on Nov 30th, 2005, 6:03pm
do a virus scan in safe mode.Wouldn't be surprised if the sober-x worm is to  blame. It will send replicate itself in emails and send them from your computer.
Title: Re: Dear HACKER
Post by Opus on Nov 30th, 2005, 6:58pm
Do the above to see if your computer is owned by a spammer,
if it is clean then try reopening the account with a strong password if you haven't tried that. All passwords should be a combination of letters, numbers and symbols. Make a super strong password like H9*ga2%1.Z:(Ish&, if the account becomes owned again, then you know it is an inside job.

Either inside your ISP, or more probably  inside your computer.

Opus/Paul
Title: Re: Dear HACKER
Post by Jonny on Nov 30th, 2005, 7:07pm

on 11/30/05 at 17:44:13, Rock_Lobster wrote:
Hit CTRL-ALT-DELETE.  Windows Task Manager will come up.  Take screen shots of that, scrolling through it and taking multiple shots if necessary.  Post the results... let us see what you have running.


The applications or the processes?
Title: Re: Dear HACKER
Post by cootie on Nov 30th, 2005, 11:07pm
I got a notice the other day that about 30 emails I sent out could not be sent......I never heard of any of them addy's and all were .com addy's too. Seen the email addy on some of them sumthing/spammer ? I wasn't sure if it was a fluke email wantin me to do sumthin or what ? I'm not too computerly enhanced to know what is what Pam  
Title: Re: Dear HACKER
Post by Rock_Lobster on Dec 1st, 2005, 12:59am

on 11/30/05 at 19:07:01, Jonny wrote:
The applications or the processes?


processes
Title: Re: Dear HACKER
Post by cootie on Dec 1st, 2005, 1:15am
Hey I did that with the task manager and all it said was 'owner....network service,system, local service under processes. Did that sound ok ? Only said 'owner' under users. I dunno much bout this stuff so am tryin to keep up. Hock up a hacker Pam
Title: Re: Dear HACKER
Post by Rock_Lobster on Dec 1st, 2005, 9:09am
I dunnno... i would have to look at it.  I am guessing that 'owner' is your user name.  But what is actually running under each category is the important thing.

Here is an easier way to try this...
go here to download Iarsn TaskInfo...
http://downloads.iarsn.com/tskinf62.exe

When you fire it up, hit CTRL-ALT-C or go up and select Edit/Copy All Info To Clipboard.
Then paste it here (CTRL-V in a reply).

It is a shitload of info.  Paste the whole thing here.  Actually I am most interested in the Process Pane initially.... the first few pages... so if you have problems then just gimme that.  Teh top of it will look like this...

[Process Pane]
|ProcessID| |Process|              |% CPU| |CPUGraph| |LT % CPU| |Time| |Sw/s| |InMem KB| |Private KB| |Total KB|   |Th||Pri|         |Ver||State|   |Handles| |Windows| |USER Obj| |GDI Obj|        |Start Time||Path|
                                                                                                                                                                                                               
           + Interrupts Time        3.00%                 2.40%   0:20   2234          0            0          0    1  Hard            4.0                  0         0          0         0                    Interrupts Time Placeholder
           + DPC Time               0.50%                 0.98%   0:04   2114          0            0          0    1  DPC             4.0                  0         0          0         0                    DPC Time Placeholder
           + Idle                  94.99%                85.80%   6:26    223         16            0          0    1  Very Idle       0.0                  0         0          0         0                    System Idle Process
4           + System                                       1.44%   0:12    139        220           28      1,876   66  Norm            0.0                308         0          0         0                    
1044        + smss.exe                                                       0        376          168      3,800    3  BNorm+1         5.132 Con           21         0          0         0   12/01/05 07:56:28C:\WINDOWS\System32\smss.exe
1196        + csrss.exe                                    0.06%   0:02    261      3,716        1,388     24,692   10  High            5.132 Con          474         0         56        43   12/01/05 07:56:29C:\WINDOWS\system32\csrss.exe
Title: Re: Dear HACKER
Post by cootie on Dec 1st, 2005, 10:42am
How do you take SCREEN SHOTS ?? I tried to copy the procceses window and can't. Yeah I am listed as OWNER it says under users so would imagine OWNER is me. Most was owner ? Didn't recognize half the stuff but then I am not computer SAVOY in alot of areas. I don't go on wierd sites but alot of links for research were NOT what they were supposed to be. Strange daze in computerville Pam

PS: downloaded the link.......kinda cool even tho I don't understand it All. What is "help U save"....it is also running and says I own it ?? Does the program work without buying it ? Sum cut ya off after so many uses.
Title: Re: Dear HACKER
Post by Rock_Lobster on Dec 1st, 2005, 11:23am
Within TaskInfo you can used the EDIT tab to cut the data to your clipboard.  The you can paste the info here.

Alternatively you can take a screenshot by hitting the Print Scrn button on your keyboard.  That would put a bitmap of the screen to your clipboard.  Then you paste the image into something such as MS Paint, then save the image and share it with us.

Which is why I presented TaskInfo as a solution.  Just use that... fire it up and cut/paste the info here.

Help U Save is most likely malware.  
Title: Re: Dear HACKER
Post by Racer1_NC on Dec 1st, 2005, 12:10pm

Quote:
Help U Save is most likely malware


Dang sure is............

Bill
Title: Re: Dear HACKER
Post by ExplodingEyeBall on Dec 1st, 2005, 12:59pm
Go to this URL.

http://www.lavasoftusa.com/support/download/

Click on the 'Software' button.

Install the program that downloads.

Update it and then do a complete scan and let it remove anything it finds.

It may not be a cure all but it's a good start.
Title: Re: Dear HACKER
Post by Drk^Angel on Dec 1st, 2005, 1:20pm
Hold on... So all the evidence you have is that you're gettin' messages bounced back to your e-mail address?  You have no other signs of either your internet or mail accounts being cracked?  Have you checked the bounced messages for the IP address the original message came from, or the mail server it was originally sent from.  Most mailer daemons will attach this information.  I'm guessin', the e-mail was not sent from your computer, or an IP address you have ever been assigned, or for that matter an IP address that your ISP even owns.  Prolly didn't get sent through your ISP's mail server either.  

Do all this other stuff, just to cover your arse, because ya don't want to be caught with your arse hangin' out... But I don't think any of it'll stop the mailer daemon messages.  I don't think the problem is from your system and/or account being cracked or having malware (God only knows what DDoS attacks your zombified system has been involved in though)... I believe what you have is just a simple little brain dead script kiddie spoofing your e-mail address on his spam and/or virus messages, so that he doesn't find himself sharing a very small, but very secure apartment with his new girlfriend Bubba.  Prolly a bunch of script kiddies form the sounds of it.  Did ya do anything to piss off a 14 year old pimple faced moron lately?  How about a 46 year old who still lives with his mother and her 86 cats?  Or maybe it's just because they like your address... Dunno... Don't matter.  

Problem is... They've got your address, they're prolly spoofin' it on a pedophile newsgroup as we speak... And there's nothing you can do about it.  Delete the account, or live with the bounced messages.  Who knows... Maybe you and mailer daemon will become penpals.

PFDAN............................................... Drk^Angel
Title: Re: Dear HACKER
Post by byoung111 on Dec 1st, 2005, 1:21pm

on 11/30/05 at 17:21:12, unsolved1 wrote:
OK...someone is seriously screwing with me.

Someone is using one of my accounts to send out spam and viruses. I'm getting the mail demons. (some with viruses attached)


Just curious...How do you know they are sending mail using that account?

My guess it that your email address on that account is the reply to address on the spam mail that was sent. In other words the spammer is sending mail using your address as the return address. If that make sense.  So your account was probably not hacked.  Just something else to look at.

Brian

Modified: Drk^Angel beat me to it.
Title: Re: Dear HACKER
Post by Drk^Angel on Dec 1st, 2005, 1:23pm
I think there's an echo in here... here... here...  :P

PFDAN............................... Drk^Angel
Title: Re: Dear HACKER
Post by unsolved1 on Dec 1st, 2005, 1:32pm
I am just assuming that they're using my account because of the mail demons that never even made it to their destination (I'm recieving them)

Here's a look at my task manager top to bottom
http://home.insightbb.com/~clusterhead/img1.png
http://home.insightbb.com/~clusterhead/img2.png

PS> I have no idea what ITunes is ! LOL!
Title: Re: Dear HACKER
Post by Rock_Lobster on Dec 1st, 2005, 2:09pm
Not too shabby.
rlvknlg is adware/spyware.  AdAware, which EEB pointed you toward, should nail that.

The Itunes stuff should not hurt you, but if you did not put it there then I would suggest whacking it.

I would say that your rig is fairly clean, and that it is as those guys suggested... your address is being spoofed... which is not a biggee at all and you can do nothing about anyway.  
Title: Re: Dear HACKER
Post by Racer1_NC on Dec 1st, 2005, 2:17pm
rlvknlg.exe is Adware........but nothing that would do what you discribe.

Like others have said.......more than likely the emails are just a spoof.

Download the AdAware program......also SpyBot Search and Destroy. Run them weekly.....

Bill
Title: Re: Dear HACKER
Post by Racer1_NC on Dec 1st, 2005, 2:21pm
Echo in here......sorry. That's what I get for forgetting to hit post when I finished typing. Sheesh.

Bill
Title: Re: Dear HACKER
Post by Jonny on Dec 1st, 2005, 3:29pm
Hey Wrokk, how about this mess?....LOL ;;D

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\hp\bin\cloaker.exe
c:\hp\bin\commands.exe
c:\windows\system32\cmd.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
c:\hp\bin\MsgAction.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\ABP\Border Cam Alert\SBI Alert.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Opera75\opera.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Documents and Settings\Owner\My Documents\Unzipped\hijackthis\HijackThis.exe
Title: Re: Dear HACKER
Post by Rock_Lobster on Dec 1st, 2005, 3:51pm
You are looking clean.
Heh heh... the border patrol cam app... heh heh!
Not sure what that Omnipass stuff is... guess it is password management... which is fine as long as you put it there.
Cloaker.exe made me go 'oh shit', but it turns out it is ok if it came from HP.
Title: Re: Dear HACKER
Post by Jonny on Dec 1st, 2005, 4:00pm
LMAO....Im watching the border, man!! ;;D

Thanks Bro!  ;)
Title: Re: Dear HACKER
Post by Opus on Dec 1st, 2005, 5:22pm
Hey this is fun, here is the output when I run ps aux:


Quote:
paul@dutch:~$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0   1552   508 ?        S    Nov28   0:00 init [2]
root         2  0.0  0.0      0     0 ?        SN   Nov28   0:00 [ksoftirqd/0]
root         3  0.0  0.0      0     0 ?        S<   Nov28   0:00 [events/0]
root         4  0.0  0.0      0     0 ?        S<   Nov28   0:00 [khelper]
root        16  0.0  0.0      0     0 ?        S<   Nov28   0:00 [kacpid]
root        83  0.0  0.0      0     0 ?        S<   Nov28   0:00 [kblockd/0]
root       114  0.0  0.0      0     0 ?        S    Nov28   0:11 [pdflush]
root       115  0.0  0.0      0     0 ?        S    Nov28   0:09 [pdflush]
root       117  0.0  0.0      0     0 ?        S<   Nov28   0:00 [aio/0]
root       116  0.0  0.0      0     0 ?        D    Nov28   0:03 [kswapd0]
root       705  0.0  0.0      0     0 ?        S    Nov28   0:00 [kseriod]
root      1060  0.0  0.0      0     0 ?        S<   Nov28   0:00 [reiserfs/0]
root      1088  0.0  0.0   1532   360 ?        S<s  Nov28   0:00 udevd
root      4167  0.0  0.0      0     0 ?        S    Nov28   0:00 [khubd]
daemon    5743  0.0  0.0   1652   452 ?        Ss   Nov28   0:00 /sbin/portmap
root      6095  0.0  0.0   1552   380 ?        Ss   Nov28   0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
klog      6097  0.0  0.2   2532  1444 ?        Ss   Nov28   0:00 /sbin/klogd -P /var/run/klogd/kmsg
root      6129  0.0  0.2  11524  1100 ?        Ssl  Nov28   0:00 /sbin/apcupsd
root      6137  0.0  0.4   9968  2376 ?        Ss   Nov28   0:00 /usr/bin/gdm
root      6141  0.0  0.5  10296  2820 ?        S    Nov28   0:02 /usr/bin/gdm
root      6177  1.3 14.0  77748 72420 ?        SL   Nov28  59:26 /usr/X11R6/bin/X :0 -br -audit 0 -auth /var/lib/gdm/:0.Xauth -nolisten tcp vt7
root      6402  0.0  0.2  20680  1384 ?        Ssl  Nov28   0:00 /usr/sbin/hpiod
root      6419  0.0  1.0   8300  5608 ?        S    Nov28   0:01 python /usr/sbin/hpssd
root      6756  0.0  0.1   1812   792 ?        Ss   Nov28   0:00 /usr/sbin/acpid -c /etc/acpi/events -s /var/run/acpid.socket
backuppc  6768  0.0  1.0   7056  5468 ?        S    Nov28   0:05 /usr/bin/perl /usr/share/backuppc/bin/BackupPC -d
backuppc  6778  0.0  0.6   5032  3552 ?        S    Nov28   0:01 /usr/bin/perl /usr/share/backuppc/bin/BackupPC_trashClean
102       6781  0.0  0.2   2120  1056 ?        Ss   Nov28   0:00 /usr/bin/dbus-daemon-1 --system
hal       6793  0.0  1.1   7132  5704 ?        Ss   Nov28   1:23 /usr/sbin/hald --drop-privileges
gkrellmd  6807  0.5  0.2  10600  1280 ?        Ss   Nov28  23:44 /usr/bin/gkrellmd
privoxy   7144  0.0  0.3  36072  1560 ?        Ss   Nov28   0:14 /usr/sbin/privoxy --pidfile /var/run/privoxy.pid --user privoxy /etc/privoxy/config
115       7199  0.0  1.1   7584  6056 ?        S    Nov28   1:48 /usr/sbin/tor
root      7211  0.0  0.1   1712   724 ?        Ss   Nov28   0:00 /sbin/rpc.statd
daemon    7267  0.0  0.1   1852   604 ?        Ss   Nov28   0:00 /usr/sbin/atd
root      7278  0.0  0.1   1908   812 ?        Ss   Nov28   0:00 /usr/sbin/cron
Title: Re: Dear HACKER
Post by Opus on Dec 1st, 2005, 5:25pm
Bummer, my list is two long to post in less than 4 posts so I will sapre you with the rest.

Opus/Paul [smiley=smokin.gif]
Title: Re: Dear HACKER
Post by Rock_Lobster on Dec 1st, 2005, 5:58pm
lol Paul... with that OS the only virus you are going to have to worry about any time soon is that one you picked up from that $7 ho in Amarillo.  
Title: Re: Dear HACKER
Post by Linda_Howell on Dec 1st, 2005, 6:41pm


 Hey unsolved,

   On the "getting to know you" section I just now answered a post from your son who was introducing himself to everyone which I thought was great, but.....Just a thought now mind you...Could HE unintentionally of course, be the culprit?

Linda
Title: Re: Dear HACKER
Post by unsolved1 on Dec 2nd, 2005, 7:59am

on 12/01/05 at 18:41:45, Linda_Howell wrote:
 Hey unsolved,

   On the "getting to know you" section I just now answered a post from your son who was introducing himself to everyone which I thought was great, but.....Just a thought now mind you...Could HE unintentionally of course, be the culprit?

Linda


Him? Sending out spam and viruses? No. Besides, he doesn't know my password(s).

UNsolved
Title: Re: Dear HACKER
Post by Drk^Angel on Dec 2nd, 2005, 12:41pm
I see the problem... That explorer.exe is a known security risk and it could be considered malware that is installed without the user's permission and/or knowledge.  It is even capable of automatically phoning home to retrieve updates to further compromise a system.  I say kill it.  :P

PFDAN.................................... Drk^Angel
Title: Re: Dear HACKER
Post by Ree on Dec 3rd, 2005, 10:41pm
DRK IS RIGHT..... I HAD THAT ONE BEFORE AND IT MESSES UP YOUR MAIL BIG TIME..... I WAS SENDING WORMS TO EVERYWHERE USA...... REE


Clusterheadaches.com Message Board » Powered by YaBB 1 Gold - SP 1.3.1!
YaBB © 2000-2003. All Rights Reserved.